(My) Last.FM hacked?
Jan 23rd, 2010 by handolio
**Updated below**
I got a worrying email last night from a friend and ex-colleague, letting me know that he’d had a phishing message purportedly from my Last.FM account.
Oops, we both thought – I’d been hacked. I went in and changed my password.
I subsequently discovered an email to me ‘from’ another colleague that also looks very much like a phishing attempt. Interestingly, this email refers to a new Shoutbox message that doesn’t appear in my Shoutbox on the site itself.
It’s quite possible I was phished or that someone guessed my rather weak password, but the fact that there’s no message on the site when the email says there is suggests that something more sinister may be afoot – if the email isn’t from Last.FM, how would the phishers know my email address, which isn’t published on my profile page?
And although they could easily use my profile to find the people I know, these things don’t tend to rely on someone actually sat at a computer spending time on stuff like that – they’re normally automated.
So what’s going on here? Has somebody got hold of Last’s email database yet they’re unable to read the passwords? Was I phished? Or is there simply an easy way of finding someone’s email address from their Last profile?
**Update**
OK, I had to write this in a hurry and have now had time to take a better look. It is a straightforward case of my account being hacked or me having been phished. Working on a couple of theories…
I got Last FM emails from you too – one at quarter past eleven last night, one at half six this morning.
Fortunately I saw that you’d posted this to Hackbash before I followed the dodgy link. Saved by the blog.
It’s really very odd. I’m positive I wasn’t fished on Last.FM, but in early December I was on Twitter. I realised and changed my password immediately, but I had been using the same username/pwd combo on Last.
Given that the shoutbox messages were very similar to the ones on Twitter, my suspicion is they tried the details they’d got for Twitter against Last.FM.
Anyway, that’s a lesson for me – I’m off to change all of my passwords to something unique.
The Twitter phishing messages seem to be making the rounds again.
To anyone who’s been hacked or who has inadvertently followed a link in a phishing message and provided login credentials:
1) Change your Twitter password immediately
2) ALSO change the password for sites (hotmail, Facebook, Flickr) where you use the same login/password combo – I’m sure that’s how they got into my Last.FM account (see above)
But don;t most browsers catch the phishing sites before you get anywhere near them? I know Chrome and Firefox do